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Abstract. Basic proof-search tactics in logic and type theory can be seen as the root-first 
applications of rules in an appropriate sequent calculus, preferably without the redundan- 
cies generated by permutation of rules. This paper addresses the issues of defining such 
sequent calculi for Pure Type Systems (PTS, which were originally presented in natural de- 
duction style) and then organizing their rules for effective proof-search. We introduce the 
idea of Pure Type Sequent Calculus with meta-variables (PTSCa), by enriching the syn- 
tax of a permutation-free sequent calculus for propositional logic due to Herbelin, which 
is strongly related to natural deduction and already well adapted to proof-search. The 
operational semantics is adapted from Herbelin's and is defined by a system of local re- 
write rules as in cut-elimination, using explicit substitutions. We prove confluence for this 
system. Restricting our attention to PTSC, a type system for the ground terms of this 
system, we obtain the Subject Reduction property and show that each PTSC is logically 
equivalent to its corresponding PTS, and the former is strongly normalising iff the latter 
is. We show how to make the logical rules of PTSC into a syntax-directed system PS 
for proof-search, by incorporating the conversion rules as in syntax-directed presentations 
of the PTS rules for type-checking. Finally, we consider how to use the explicitly scoped 
meta-variables of PTSCa to represent partial proof-terms, and use them to analyse in- 
teractive proof construction. This sets up a framework PE in which we are able to study 
proof-search strategies, type inhabitant enumeration and (higher-order) unification. 
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Introduction 

Pure Type Systems (PTS) (see e.g. |Bar91| ) were independently introduced by Be- 
rardi |Ber88| and Terlouw |Ter89| as a generalisation of Barendregt's A-cube, and form 
a convenient framework for representing a range of different extensions of the simply-typed 
A-calculus. System F, System F^^ |Gir72| . System AH |Daa80l IHHP87j . and the Calcu- 
lus of Constructions (CoC) |CH88| are examples of such systems, on which several major 
proof assistants are based (e.g. Coq fCoq], Lego |LP92| . and the Edinburgh Logical Frame- 
work [HHP87j; Higher-Order Logic can also be presented as a PTS, but this is not the basis 
of its principal implementation |HOL| ). 

With typed A-calculus as their basis, such systems are traditionally presented in natural 
deduction style, with rules introducing and eliminating logical constants (aka type construct- 
ors). Dowek |Dow93| and Muhoz |Muh01| show how to perform proof-search in this style, 
by enumerating type inhabitants. 

This however misses out on the advantages of sequent calculus |Gen35| for proof-search. 
As suggested by Plotkin [Plo87j , a Gentzen-style sequent calculus (with left and right intro- 
duction rules) can be used as a basis for proof-search in the case of AH jPW91| Pym95| (later 



extended to any PTS |GR03al IGR03c| ) . However, the permutations of inference steps avail- 
able in a Gentzen-style calculus (such as G3 [Kle52]) introduce some extra non-determinism 
in proof-search. 

Herbelin |Her941 IHer95| introduced a permutation-free calculus LJT for intuitionistic lo- 
gic, exploiting the focusing ideas of Andreoli [ And92| . Danos et al. |DJS95| and (ultimately) 
ideas from Girard's linear logic ^GirSTj. Herbelin's calculus has been considered as a basis 
for proof-search in intuitionistic logic |DP99b) . generalising the uniform proof approach to 
logic programming (see |MNPS9T] for hereditary Harrop logic). A version with cut rules and 
proof-terms forms an explicit substitution calculus A [Her94[ IDU03| with a strong connection 
to (call- by- name) /3-reduction and abstract machines such as that of Krivine j iKrij . 
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This builds, as in the Curry-Howard correspondence, a computational interpretation 
of sequent calculus proofs on the basis of which type theory can be reformulated, now 
with a view to formalising proof-search. In earlier work |LDM06l ILenOG) . we reformulated 
the language and proof theory of PTSs in terms of Pure Type Sequent Calculi (PTSC). 
The present paper completes this programme, introducing Pure Type Sequent Calculi with 
meta-variables (PTSCa), together with an operationalisation of proof-search in PTS in 
terms of PTSCa. It follows earlier work |PD98) . relating A to proof-search in the AH 
calculus |PW9H Pym95| . Introducing meta-variables for proof-search is the main technical 
novelty of this paper over |LDM06| . 

This gives a secure but simple theoretical basis for the implementation of PTS-based 
systems such as Coq |Coq| and Lego jLP92| : these proof assistants feature interactive proof 
construction methods using proof-search tactics. As observed by |McK97| . the primitive 
tactics are not in exact correspondence with the elimination rules of the underlying natural 
deduction formalism: while the tactic intro does correspond to the right-introduction rule 
for 11- types (whether in natural deduction or in sequent calculus), the tactics apply in Coq 
and Refine in Lego, however, are much closer (in spirit) to the left-introduction rule IIL 
for Il-types in the focused sequent calculus LJT than to the Il-elimination rule in natural 
deduction. The IIL rule types the construct M-l of A, representing a list of terms with head 
M and tail I: 

T\-M:A T;{M/x)B\-l:C 



TiUx'^.B h M-l:C 



HL 



However, the aforementioned tactics are also able to postpone the investigation of the 
first premiss and start investigating the second. This leads to incomplete proof-terms and 
unification constraints to be solved. Here, we integrate these features into PTSC using 
explicitly scoped meta-variables. The resulting framework, called PTSCa, supports the 
analysis and definition of interactive proof construction tactics (as in Coq and Lego), as 
well as type inhabitant enumeration (see |Dow93[ IMufi01| ). 

Of course, formalising proof-search mechanisms has already been investigated, if only 
to design tactic languages like Delahaye's Ctac and Cpdt [ DelOl] , Also noteworthy here are 
McBride's and Jojgov's PhD theses |McB00l [GJ02j . which consider extensions of type theory 
to admit partial proof objects. Using meta-variables similar to ours, Jojgov shows how to 
manage explicitly their progressive instantiation via a definitional mechanism and compares 
this with Delahaye's Ctac and Cpdt- 

While formalising the connections with this line of research remains as future work, 
the novelty of our approach here is to use the sequent calculus to bridge the usual gap 
(particularly wide for PTS and their implementations) between the rules defining a logic and 
the rules describing proof-search steps. A by-product of this bridge is ensuring correctness 
of proof-search, whose output thus need not be type-checked (which it currently is, in most 
proof assistants). 

One reason why this is possible in our framework is that it can decompose (and thus 
account for) some mechanisms that are usually externalised and whose outputs usually need 
to be type-checked, such as unification (including higher-order |Hue76| ). Indeed, it integrates 
the idea, first expounded in |Dow93| . that proof-search and unification generalise in type 
theory to a single process. 

The rules of our framework may not be deterministic enough to be considered as spe- 
cifying an algorithm, but they are atomic enough to provide an operational semantics in 
which algorithms such as the above can be specified. They thus provide a semantics not 
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only for type inhabitation algorithms, but also more generally for tactic languages, and, 
more originally, for unification algorithms. 

As an example, we consider commutativity of conjunction expressed in (the PTSCa 
corresponding to) System F, previously presented in [LDM06j without meta- variables. We 
show here how met a- variables improve the formalisation of proof-search. 

Our work may be compared with that of our predecessors as follows: 
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Note that, in contrast to |Pym95| IGR03al IGR03c) . we use a focused sequent calculus 
(LJT) instead of an unfocused one (G3). The former forces proof-search to be 'goal-directed' 
in the tradition of logic programming and uniform proofs, while the latter is more relaxed 
and would accommodate saturation-based reasoning. Our choice here is motivated by a 
tighter connection with natural deduction and by the tactics currently used in proof as- 
sistants such as Coq and Lego. While |Pym95| does identify permutations of inference 
rules which would allow the recovery of a goal-directed strategy, fGROSc] focuses instead 
on the elimination of a cut-rule which then sheds a surprising light on the open problem of 
Expansion Postponement fG R03b| . 

Our move from 03 to LJT is also particularly convenient to capture the process of higher- 
order unification as a proof-search mechanism. Pym and Wallen address proof-search |PW91| 
in the particular case of All, the type theory of the Edinburgh Logical Framework, using a 
black-box higher-order unification algorithm adapted from that of Huet. They discuss how 
well-typedness of meta-variable instantiations computed by unification can be exploited to 
control the search space. Meanwhile no meta-variables (or similar technology supporting 
unification) feature in || GR03al IGR03c) . 

In any case, this line of research keeps a traditional A-calculus syntax for proof-terms, 
which thus does not refiect the structure of proof trees. We sought instead a formalism 
whose terms refiect how proofs and unifiers are constructed, and so moved from A-calculus 
to A. 

The paper's structure is as follows: Section [1] presents the syntax of PTSCa, the full 
language of terms and lists containing meta-variables, and gives the rewrite rules for normal- 
isation. Section [2] relates this syntax with that of A-calculus in PTS style and thereby derives 
the confiuence of the PTSCa-calculus. Section [3] presents a parametric typing system PTSC 
for ground terms (i.e. the restriction to PTSCa-terms containing no meta-variables), and 
states and proves properties such as Subject Reduction. Section [H establishes the correspond- 
ence between a PTSC and the PTS with the same parameters; we show type preservation 
and the strong normalisation result. Section [5] discusses proof-search in a PTSC. Section [6] 
introduces the inference system for PTSCa, as a way to formalise incomplete proofs and op- 
erationalise proof-search. Section [7] shows the aforementioned example. These are followed 
by a conclusion and discussion of directions for further work. 
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Some ideas and results of this paper (namely Sections [21 [3] and HJ which were already 
presented in |LDM06| ) have been formalised and machine-checked in the Coq system |Sil09| 
using a de Bruijn index representation, as in e.g. |Len06) . 

1. Syntax and operational semantics of PTSCa 

1.1. Syntax. We consider an extension (with type annotations) of the proof-term syntax 
A of Herbelin's focused sequent calculus LJT |Her95| . As in A, the grammar of PTSCa 
features two syntactic categories: that of terms and that of lists. 

The syntax depends on a given set S of sorts, written s,s', . . ., a denumerable set X of 
variables, written x,y,z,..., and two denumerable sets of meta-variables: those for terms, 
written a, a', . . ., and those for lists, written /?,/?', . . .. These meta-variables come with an 
intrinsic notion of arity. 

Definition 1.1 (Terms and Lists). The set Tof terms (denoted M, N, P,. . . , A,B,...) and 
the set C of lists (denoted I, I', . . .) are inductively defined by: 

M,N,P,A,B ■.:=Ux^.B\ Xx^.M \ s\ xl \ Ml \ {M/x)N\ a(Mi,...,M„) 
::=[]! M-l\ mi' \ {M/x)l\ /3(Mi, . . . , M„) 

where n is the arity of a and /3. 

The constructs Hx^.M, Xx^.M, and {N/x)M bind x in M, and {M/x)l binds x in 
I, thus defining the free variables of a term M (resp. a list I), denoted FV(M) (resp. 
FV(Z)), as well as a-conversion, issues of which are treated in the usual way. Note that 
FV(a(Mi,...,M„)) = FV(/3(Mi, . . . ,M„)) = U"=iFV(Mn); see the discussion on meta- 
variables below. A term M is closed if FV(M) = 0. As usual, let A^B denote Hx^.B when 
X ^ FV(S). 

Terms and lists without meta-variables are called ground terms and ground lists, re- 
spectively. (Previously, these were just called terms and lists in |LDM06| ). 

Lists are used to represent sequences of arguments of a function; the term x I (resp. 
M I) represents the application of x (resp. M) to the list of arguments /. Note that a 
variable alone is not a term; it must be applied to a list, possibly the empty list, denoted []. 
The list M-l has head M and tail /, with a typing rule corresponding to the left-introduction 
of H- types (cf. Section [3]). The following figure shows the generic structure of a A-term 
Axi.. . . Xxp.V Ml . . . Mn, and its A-representation as the term Axi.. . . Xxp.V {Mi-. . . M„-[]), 
as follows: 




V Ml M„ [] 

Successive applications give rise to list concatenation, denoted /@/' (with @ acting as 
an explicit constructor). For instance, the list {Mi-. . . M„-[])@(M„_|_i-. . . Mp-[]) will reduce 

to Mi-...Mn-Mn+l-...Mp-[]. 
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The terms {M/x)N and {M/x)l are explicit substitutions, on terms and lists, respect- 
ively. They will be used in two ways: first, to instantiate a universally quantified variable, 
and second, to describe explicitly the interaction between the constructors in the normal- 
isation process (given in Section \1.2\i . 

More intuition about Herbelin's calculus, its syntax and operational semantics, may be 
found in |Her95| . 

Among the features added to the syntax of A, our meta-variables can be seen as higher- 
order variables. As in CRS [KloSOj, unknown terms are represented with (meta/higher- 
order) variables applied to the series of (term-)variables that could occur freely in those 
terms, e.g. a{x,y) (more formally, a{x [])) represents an unknown term M in which 
X and y could occur free (and no other). Such arguments x,y can later be instantiated, 
so that a{N,P) represents |^'/<E^y}M. In other words, a meta-variable by itself stands 
for something closed, i.e. a term under a series of bindings covering all its free variables, 
e.g. x.y.M when FV(M) C {x, y} (using a traditional notation for higher-order terms, see 
e.g. fTO3] . Ch. 11)0 This allows us to consider a simple notion of a-conversion, with 
Xx^.a(x []) =a Xz'^.a^z []). Henceforth, however, we will elide further discussion of 
such matters, and simply write = to denote =q,. 

This kind of meta-variable differs from that in |Mufi01| , which is rather in the style 
of ERS [ Kha90j where the variables that could occur freely in the unknown term are not 
specified explicitly. The drawback of our approach is that we have to know in advance the 
free variables that might occur free in the unknown term, but in a typed setting such as 
proof-search these are actually the variables declared in the typing environment. Moreover, 
although specifying explicitly the variables that could occur free in an unknown term might 
seem heavy, it actually avoids the usual (non-) confluence problems when terms contain meta- 
variables in the style of ERS The solution in [MuhOl j has the drawback of not simulating 
/3-reduction (although the reductions reach the expected normal forms). 

1.2. Operational semantics. The operational semantics of PTSCa is given by the system 
of reduction rules in Figure [H comprising sub-systems B, x', and XSUbSt', and combinations 
thereof. This system extends that of ^LDM06j with rules A4, Ca, D/3. Side-conditions to 
avoid variable capture can be inferred from the rules. We prove confluence in Section [2j 

We denote by — >g the contextual closure of the reduction relation defined by any 
system G of rewrite rules The transitive closure of — >g is denoted by — >~^g , its reflexive 
and transitive closure is denoted by — >*g , and its symmetric reflexive and transitive closure 
is denoted by i — >*g ■ The set of strongly normalising elements (those from which no infinite 
— -reduction sequence starts) is SN . When not specified, G is assumed to be the system 
B,x' from Fig.m 

We now show that system x' is terminating. If we add rule B, then the system fails to 
be terminating unless we only consider terms that are typed in a normalising typing system. 

"'^We develop this in Section [6] below. There is no binding mechanism for meta-variables in the syntax of 
PTSCa, but at the meta-level there is a natural notion of instantiation, also presented in Section[Sl We thus 
emphasise the fact that instantiation of meta-variables never occurs during computation; in that respect, 
meta-variables really behave like constants or term constructors. 

^See the discussion at the end of Section [21 

Via contextual closure, a rewrite rule for terms can thus apply deep inside lists, and vice versa. 
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Figure 1: Reduction Rules 



We can define an encoding given in Fig. [21 that maps terms and lists into a 

first-order syntax given by the following signature: 

WO, i/l,ii/2, cut/2, sub/2} U {tuple"/n | n G N} 

which we then equip with the well-founded precedence relation defined by 

T*r ^ i -< ii ^ tuple" ^ . . . ^ tuple" ^ tuple"+^ ^ . . . ^ cut ^ sub 

The lexicographic path ordering (Ipo) induced on the first-order terms is also well-founded 
(definitions and results can be found in |KL80| . or |Ter03| ch. 6]). 

Theorem 1.2. 

• IfM — >x' M' then 5(M) >ipoS{M'). 

• /// I' then S{1) >ipoS{l'). 

Proof. By simultaneous induction on M, I. □ 
Corollary 1.3. System V is terminating (on all terms and lists). □ 
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<S(Ax^.M) 




= -y\{S{A),S{M)) 




<S(nx^.M) 




= -y\{S{A),S{M)) 




S{x I) 




= m)) 




5(M /) 




= cut(cS(M),5(0) 
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= tuple"(5(Mi),... 


S{Mn)) 



Figure 2: First-order encoding 



2. A-TERMS AND CONFLUENCE 

In this section we define translations between the syntax of PTSCa and that of Pure 
Type Systems (PTS), i.e. a variant of A-terms. Since, in the latter, the only reduction rule 
(namely, (3) is confluent, we infer from the translations the confluence of PTSCq. 

We briefly recall the framework of PTS. Terms have the following syntax: 

t,u^v,T,U,V, ...::= X \ s\ Ilx^.t | Xx'^ .t \ tu 

with an operational semantics given by the contextual closure of the /3-reduction rule 
(Ax^.t) u — >p {Xx}*) in which the substitution is implicit, i.e. is a meta-operation. 

Notice now that meta-variables in PTSCa behave like constants of fixed arities during 
reduction; so it would be natural to reduce the confluence problem of PTSCa to that of a 
A-calculus extended with such constants. We avoid proving confluence of such an extension 
of PTS with constants. Instead we consider such a constant, say of arity k, directly as a 
free variable applied to (at least) k arguments (indeed, such an approach could also justify 
confluence for the extended system). 

Consequently we set aside some of the traditional variables of PTS for the specific 
purpose of encoding meta-variables of PTSCa: for each meta-variable a (resp. (3) of arity 
/c, we reserve in the syntax of PTS a variable which we write (resp. (5^). 

For the remainder of this section, we therefore restrict our attention to that fragment, 
PTSa, of PTS-terms where such a variable (resp. (3^) is never bound and is applied to 
at least k (resp. A; + 1) arguments. The only subtlety, explained below, is why (5^ is applied 
to at least k + \ arguments (instead of the expected k). 

Remark 2.1. The fragment PTSa is stable under /?-reduction@ and thus satisfies confiu- 
ence. 

Fig. [3] shows the translation of the syntax of PTSCa into PTSa. While the translation 
of meta-variables for terms is natural, that of meta-variables for lists is more subtle, since 
the translation of lists is parameterised by the future head variable. How can we relate such 



By the capture-avoiding properties of /3- reduction and the fact that, if an occurrence of a free variable 
is apphed to (at least) k arguments, so are its residuals after a /3-step. 
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Figure 3: From PTSCa to PTSa 



a variable to a list of terms that is (yet) unknown? We simply give it as an extra argument 
(the first one) of the encoded met a- variable. 

Theorem 2.2 (Simulation of PTSCq). — simulates — >bx' through B. 

Proof. If M — N then B{M) — >*i3 B{N), if I — I' then By{l) — >*i3 By{l'), if 
M — ^x' N then B{M) = B{N) and if I — ^x' I' then By{l) = By{l'), which are proved by 
simultaneous induction on the derivation step and case analysis. □ 



A{s) 

AiUx'^.U) 
AiXx'^.t) 
A{a^ ti...tk) 
A{/3'' tti...tk) 
A{t) 


= s 

= Iix^('^\A{U) 

= Xx^^'^\A{t) 

= a{A{ti),...,A{tk)) 

= ■^/3(.4(ii),...,^fe))(i) 

= A\^{t) otherwise 


Ai{a^ ti...tk) 
Ai{(3'' tti...tk) 
Ai{t u) 
Ai{x) 
Ai{t) 


= a{A{ti),...,A{tk))l 

= ^^(u)./(i) otherwise 
= X I 

= A{t) I otherwise 



Figure 4: From PTSa to PTSCa 

Fig. IHshows the translation from PTSa into PTSCaU It is simply the adaptation to the 
higher-order case of Prawitz's translation from natural deduction to sequent calculus [Pra65j: 
the translation A{t) of an application relies on a list-parameterised version Ai{t) of the 
translation. Example 12.81 below illustrates how the definitions in Fig. [4] and Fig. [3] expand. 



Note how we spot the situations which arise from encoded meta- variables, using the expUcitly displayed 
arity to identify the arguments. 
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It is not obvious that the inductive definition of the translation is well-founded. To see 
this we need the following notion: 

Definition 2.3 (List-needing terms). We say that a A-term t needs a list / if the pair {t,l) 
satisfies the following property: if / = [] then t is either a variable or an application that is 
not of the form • • • ifcH 

The inductive definition of the translation is done by structural induction on the term, 
subject to the consideration that Ai{t) is defined before A{t) if t needs I, and that Ai{t) is 
defined after A{t) if not. The terminology comes from the fact that t needs I if and only if 
Ai{t) is not a Bl-redex. 

In order to prove confluence, we flrst need the following results: 

Lemma 2.4. 

(1) A{t) is an x' -normal form. 

If I is x' -normal and t needs I then Ai{t) is x' -normal. 

(2) /// ^Bx' I' thenAiit) ^Bx' Ai>{t). 

(3) Ai^it) l^\> Av@i{t) and A{t) l^\, Ai{t). 

(4) {A{u)/x)A{t)^\, A{{y^}t) and {A{u) / x)Ai{t)^\^ ^(^(«)/.>K{7x}t). 

Proof. Each point is obtained by straightforward induction on t. Note that in order to prove 
point 4 we need rules A3 and A4. These are not needed (for simulation of /3-reduction and 
for confluence) when only ground terms are concerned. □ 

Tiieorem 2.5 (Simulation of PTS). 

— ^Sx' (strongly) simulates — through A. 

Proof. If t — >ii u then A{t) — >'^bx' A{u) and Ai{t) — ^■'''bx' Ai{u), each proved by induc- 
tion on the derivation step, using Lemma [2.41 4 for the base case and Lemma 12.41 3. □ 

Now we study the composition of the two translations: 

Lemma 2.6. Suppose M and I are x' -normal forms. 

(1) Ift needs I then Ai{t) = ^({X}S^(0) (for any x ^ FV{1)). 

(2) M = A{BiM)). 

Proof. By simultaneous induction on I and M. Again, rules A3 and A4 (as well as Ca and 
D/3) are needed for this lemma to capture the notion of normal form corresponding to the 
PTS-terms, when met a- variables are present. □ 

Tiieorem 2.7. 

(1) BiA{t)) = t 

(2) M — >\, A{I3{M)) 

Proof. 

(1) B{A{t)) = t and B{Ai{t)) = {y^]B''{l) (with x ^ FV(/)) are obtained by simultaneous 
induction on t. 

(2) M — A{B{M)) holds by induction on the longest sequence of x'-reduction from 
M (x' is terminating): by Lemma 12.61 2. it holds if M is an x'-normal form, and if 
M — 7>x' ^ then we can apply the induction hypothesis on and by Theorem 12.21 we 
have the result. □ 



'^Remember that we suppose that a* is apphed to at least k arguments. 
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Example 2.8. Here is an example illustrating Theorem 12.71 1: 

= Sixiy[])-D) = B^{iy[])-D) 

= {-'3iy%}B%D) = {-^'(^%}B'{D) 

= {-rz}B'{D) = {-rzMP'^ zB{A{h))...B{A{tk))) 

= l3''ixy)BiAih))...BiA{tk)) 

where D = (3{A{ti),...,A{tk)). 

We finally get confluence: 
Corollary 2.9 (Confluence). — >x' CLud — >bx' '""e confluent. 




Figure 5: Confluence by simulation 

Proof. We use the simulation technique, as for instance in |KL05| : consider two reduction se- 
quences starting from a term in PTSCa. They can be simulated through B by /3-reductions, 
and since PTSa is confluent, we can close the diagram. Now the lower part of the diagram 
can be simulated through A back in PTSCa, which closes the diagram there as well, as 
shown in Fig. [5] for Bx'. Notice that the proof of confluence has nothing to do with typing 
and does not rely on any result in Section [3] (in fact, we use confluence in the proof of Subject 
Reduction in the Appendix). □ 

Considering met a- variables in the style of CRS |Klo80] avoids the usual problem of non- 
confluence coming from the critical pair between B and C4 which generate the two terms 
{N/x){P/y)M and {{N/x)P/y){N/x)M. Indeed, with ERS-style met a- variables these two 
terms need not reduce to a common term, but with the CRS-approach, they now can (using 
the rules Ca and D/3). Again, note how the critical pair between B3 and itself (or B2) needs 
rule A3 in order to be closed, while it was only there for convenience when all terms were 
ground. 
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3. Typing system and properties 

Throughout this section we consider PTSC, that is, the restriction to ground terms of 
PTSCa. We thus do not need to consider any notion of meta-variable, nor that of any 
special variable distinguished among PTS terms, such as those considered in the previous 
section. 

Given the set of sorts S, a particular PTSC is specified by a set >l C 5^ and a set 
7^ C 5^ . We shall see an example in Section 14.21 

Definition 3.1 (Typing Environments). 

• A typing environment (henceforth simply: 'environment', for brevity's sake) is a list T of 
pairs taken from X x T, denoted (x : A). 

• We define the domain of an environment and the application of a substitution to an 
environment as follows: 

Dom(0) = Dom(r, {x : A)) = Dom(r), x 

{P/y)m = {P/y)ir, {x : A)) = {P/y)T, {x : {P/y)A) 

• It is useful (see Section[6]) to define DoiTl(r) as a list, for which the meaning of x € Dom(r) 
is clear. If is a set of variables, M CI Dom(r) means for ah x G M, x G Dom(r). 
Similarly, Dom(r) n Dom(A) is the set {x ^ X \ x e Dom(r) A x G Dom(A)}. 

We define the following inclusion relation between environments: 

r □ A if for all (x : A) G T, there is (x : S) G A with Ai — >* B. 

The inference rules in Fig. [6] inductively define the derivability of three kinds of statement: 

(1) r Wf 

Intuitively, the derivability of this statement means that the environment T is well- 
formed. 

(2) T\- M:A 'term typing' 

Intuitively, the derivability of this statement means that M is of type A in the environ- 
ment r (is a proof of A from the assumptions in T). 

(3) T;B\- l:C 'list typing' 

The position of B in the sequent is a special place called the stoup. Intuitively, the 
derivability of this statement means that, in the environment F, the list / codes for an 
actual list of terms such that, when something of type B is applied to them, the result 
is of type C (this codes for a natural deduction of C from i? by a series of Il-elimination 
rules, whose minor premisses are derived by the proofs-terms in / using the assumptions 
in F). 

Side-conditions are used, such as (si, S2, S3) G 7?-, x Dom(F), Ai — >* B 01 T Q A, and we 
use the abbreviation F C A wf for F C A and A wf. We freely abuse the notation in the 
customary way, by not distinguishing between a statement and its derivability according to 
the rules of Fig. [6l 

There are three conversion rules COnV/j, COnv^, and COnV/, in order to deal with the 
two kinds of typing statement and, for list typing, also to be able to convert the type in the 
stoup. 

Because substituting for a variable in an environment affects the rest of the environment 
(which could depend on that variable), the two rules for explicit substitutions (Cut2 and 
Cut4) must have a particular shape that manipulates the environment, if the PTSC is to 
satisfy basic required properties like those of a PTS. 
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: empty Z extend 



wf T,{x:A) wf 

r wf {s,s')eA T\-A:si r,{x:A)\- B:s2 (si, S2, S3) € Tl 

sorted nwf 

ri-s:s' rl-nx^.B:s3 

rhllx'^.B-.s T,{x:A)\- M:B T;A\-l:B {x:A) gT T\-A:s 

nR Selectx axiom 

T\- Xx'^.M-.Ux'^.B r\-xl:B r-A\-W:A 

T\-M:A T\-B:s A^* B ThUx'^.B-.s r\-M:A T;{M/x)B\- l:C 

conVii m 

V\-M:B V-nx^.B\- M-l:C 

T;C\-l:A T\-B:s Ai — >* B T-A\-l:C T\-B:s Ai — >* B 

conv'o convi 

T-C\-l:B T-B\-l:C 



T]C\-l':A T;A\-l:B T\-P:A T, (cc: A), A; S h T, (P/x)A C A' wf 

Cuti Cut2 

V-C\- I'm-.B A';{P/x)B\- {P/x)l:{P/x)C 

T\- M:A T;A\-l:B T\-P:A T, (a; : A), A h M : C T, (P/x)A C A' wf 

Cuts Cut4 

V\-Ml:B A' \- {P/x)M:C' 

where either {C = C G S) or C ^ S and C = {P/x)C 



Figure 6: Typing rules of a PTSC 

Example 3.2. Here is, as an example, a derivation of x : si h x [] : si in a PTSC where 
(S1,S2) G A. 

empty 

wf (si,s2) e A 
sorted 

I- si:s2 
extend 

x:si wf (si,S2) e A 
sorted 

x:si h si:s2 

axiom 



x:si;si h []:si 

Selects; 

X : si h X [] : si 

The lemmas of this section are proved by straightforward inductions on typing derivations: 

Lemma 3.3 (Properties of typing statements). IfT h M:A (respectively, F; h l:C) then 
FV{M) C Dom{T) (respectively, FV{1) C Dom(r)), and the following statements can be 
derived with strictly smaller typing derivations: 
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(1) r 

(2) T \- A :s for some s € 5, or A S 

(resp. T \- B:s and F h C :s' for some s,s' & S) □ 

Corollary 3.4 (Properties of well-formed environments). 

(1) // r, X : A, A wf then T \- A : s for some s G 5 with x ^ Dom{T, A) and FV{A) C 
Dom(T) ( and in particular x FV[A) ) 

(2) //r,A wfthen V wf. □ 

Lemma 3.5 (Weakening). Suppose T,T' wf and Dom{T') n Dom{A) = 0. 

(1) //r, A h M:A then T,T',A h M:A. 

(2) Ifr,A;B\-l:C, then T, r',A;B\- I: C. 

(3) //r,A wf, thenr,T',A wf □ 

We can also strengthen the weakening property into the thinning property by induction 
on the typing derivation. This allows to weaken the environment, permute it, and convert 
the types inside, as long as it remains well-formed: 

Lemma 3.6 (Thinning). Suppose F C A wf. 
(1) IfT h M:A then A h M:A. 

{2) IfT;B\- l:C, then A;B\- l:C. □ 
Using all of the results above, we obtain Subject Reduction: 

Theorem 3.7 (Subject Reduction in a PTSC). 

(1) IfT h M:A and M — > M' , then T\- M':A 

(2) IfT;B \- l:C andl — > I', then T;B\- l':C 

Proof. See the Appendix. □ 



4. Correspondence with PTS 

4.1. Type preservation. There is a logical correspondence between a PTSC given by the 
sets S, A and TZ and the associated PTS given by the same sets. 

We prove this by showing that (when restricted to ground terms) the translations pre- 
serve typing. 

Terms in PTS are typed according to the typing rules in Fig. 14.11 which depend on the 
sets iS, A and TZ. Besides confluence for /3-reduction, PTSs have the following meta-theoretic 
properties (for proofs, see e.g. [Bar92j ): 

Theorem 4.1. 

(1) IfT \-pTs 't'-T and F C A l/l/f then A \~pts ^'-T (where the relation C is defined similarly 
to that of PTSC, hut with (3 -equivalence). 

(2) IfThpTst:T andT,y:T,AhpTSu:U 
then F, {yy}A hp^ (K;} n: {K,} t/. 

(3) IfT\-pjst:Tandt — >p u thenT \- pjs u:T . □ 
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rhpTsTis X ^ Dom(r) r wf {x:T)£r 



wf r,(x : T) wf r hpTS x:T 

r wf {s,s')eA ThpjsU:si r,(x : f/) hpTsT:s2 (si, sa, sg) G 7^ 

rhpTss:s' rhpTsnx^.r:s3 

ThpjsUx^.T-.s r,{x :U)hpjst:T T hpjs t:Ux^ .T Thpjsu-.U 

rhpTs Xx^.t-.nx^.T rhpTstu:{7x}T 



ThpjQt:U rhpTs^:s U< — >* ,3 V 
rhpTS^:^ 



Figure 7: Typing rules of a PTS 

We now extend the translations to environments: 

-4(0) = [] S(0) = [] 

^(r, (x : T)) = ^(r), (x : A{T)) B(T, (x : A)) = S(r), (x : BiA)) 

Now note that the simulations in Section [2] imply: 

Corollary 4.2 (Equational theories). 
ti — >*i3 u if and only if A{t)i — >* A{u) 

Mi — >* N if and only if B{M)i — >* ^ B{N) □ 
Preservation of typing is proved by induction on the typing derivations: 

Theorem 4.3 (Preservation of typing 1). 

(1) IfT hpTst:T then A{r) h A{t):A{T) 

(2) // (r hpT-s u ■■ } • • • {'Xx, } r,),=i...„ 

andA{T) h A{Uxi'^K. . .Uxn'^" -T) : s 

then ^(r);^(nxi^i.. . . UxJ-.T) h ^(ti ... ^ ({*/,.„}•• • {%,}T) 

(3) IfT wfthen A{T) wf □ 

Theorem 4.4 (Preservation of typing 2). 

(1) IfT\- M:A then B{r) h pjs B{M) -.BiA) 

(2) IfT;B\- l:C then B(T),y: B{B) hprs By{l):B{C) for any fresh y 

(3) IfT wfthenB(T) wf □ 

4.2. Equivalence of Strong Normalisation. 

Theorem 4.5. A PTSC given by the sets S, A, and IZ is strongly normalising if and only 
if the corresponding PTS given by the same sets is. 
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Proof. Assume that the PTSC is strongly normahsing, and let us consider a well-typed t of 
the corresponding PTS, i.e. F hpjg frT for some r,T. By Theorem 14.31 .4(r) h A{t):A{T) 
so A{t) € SN. Now by Theorem 12.51 any reduction sequence starting from t maps to a 
reduction sequence of at least the same length starting from A{t), but those are finite. 

Now assume that the PTS is strongly normalising and that T \- M : A in the corres- 
ponding PTSC. By subject reduction, any N such that M — >* N satisfies T \- N : A and 
any sub-term P (resp. sub-list I) of any such N is also typable. By Theorem 14.41 for any 
such P (resp. I), B{P) (resp. 3^(1)) is typable in the PTS, so it is strongly normalising by 
assumption. 

We now refine the first-order encoding of any such P and / (as defined in Section [1]) , 
emulating the technique of Bloo and Geuvers |BG99| . 

Accordingly, we refine the first-order signature from Section [1] by labelling the symbols 
CUt*(_, _) and SUb*(_, _) with all strongly normalising terms t of a PTS, thus generating 
an infinite signature. The precedence relation is refined as follows 

* -< -< _) -< cut*(_, _) -< sub*(_, _) 

but we also set SUb*(_,_) -< CUt* (_,_) whenever t' — t. The precedence is still well- 
founded, so the induced (Ipo) is also still well-founded (definitions and results can be found 
in |KL80| ). The refinement of the encoding is given in Fig [HI An induction on terms shows 
that reductions decrease the Ipo. □ 



Tis) 




T{Xx^.M) 


= T{Ux^.M) = \\{T{A),T{M)) 


T{x I) 


= mi)) 


T{Ml) 


= cut^(*^')(r(M),r(0) 


T{{M/x)N) 


= sub^(<*^/^>^)(r(M),r(Af)) 


nw) 


= * 


T{M-l) 

T{l@l') 


= \\{T{M),T{1)) 
= \mi),Til')) 


T[{M/x)N) 


= sub^(<^/^>'nT(M),r(0) 



Figure 8: First-order encoding 

Examples of strongly normalising PTS are the Calculus of Constructions |CH88| . on 
which the proof-assistant Coq is based fCoqf (but it also uses inductive types and local 
definitions), as well as the other systems of Barendregt's Cube, for all of which we now have 
a corresponding PTSC that can be used for proof-search. 

5. Proof-search 

Proof-search considers as inputs an environment F and a type A, and the output, if 
successful, will be a term M such that F h M :A, moreover one in normal form. When we 
search for a list I such that T;B\- l:C, the type B in the stoup is also an input. Henceforth, 
such a term type A or list type C will be called simply a goal. 

The inference rules now need to be syntax- directed, that is determined by the shape of 
the goal (or of the type in the stoup), and the proof-search system (PS, for short) is then 
obtained by optimising appeals to the conversion rules, yielding the presentation given in 
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Fig. [9l The incorporation of the conversion rules into the other rules is similar to that of 
the Constructive Engine in natural deduction |Hue89| lvBJMP94] ; however that algorithm 
was designed for type synthesis, for which the inputs and outputs are not the same as in 
proof-search, as mentioned in the introduction. 



Di — >* C D — >* nx^.S rhpsAf:^ T;{M/x)B \-psl:C 

axiom ^ — _ nL 



r;Dhps[]:C r- D hps M-l:C 



C — y S3 (si,S2,S3) G ri-psA:si T,{x : A) \-ps B:s2 

-. nwf 

r hps Ux-^.B-.c 

C^* s' {s,s')eA {x:A)eT r;^hps/:C 

sorted Select^. 

rhpssiC rhpsx/:C 

C — >* Ux'^.B r, {x : A) hps M:B 



r hps Xx^.M:C 



Figure 9: Rules for Proof-search 

Note one small difference from |LDM06| : we do not, in rule IIR, require that A be a normal 
form. As in |LDM06| . soundness and completeness hold, but because of this difference, we 
get quasi-normal forms rather than normal forms. 

Definition 5.1 (Quasi-normal form). A term (or a list) is a quasi-normal form if all its 
redexes are within type annotations of A- abstractions, e.g. A in Xx^.M. 

Notice that, as we are searching for (quasi-)normal forms, there are no cut-rules in 
PS. However, in PTSC even terms in normal form may need instances of the cut-rule in 
their typing derivation. This is because, in contrast to logics where well-formedness of 
formulae is pre-supposed (such as first-order logic, where cut is admissible), PTSC checks 
well-formedness of types. For instance in rule HL of PTSC a type which is not normalised 
{{M/x)B) occurs in the stoup of the third premiss, so cuts might be needed to type it inside 
the derivation. 

We conjecture that if we modify rule HL by now requiring in the stoup of its third 
premiss a normal form to which {M/x)B reduces, then any typable normal form can be 
typed with a cut-free derivation. However, this would make rule HL more complicated and, 
more importantly, we do not need such a conjecture to hold in order to perform proof-search. 

In contrast, system PS avoids this problem by obviating such type-checking constraints 
altogether, because types are the input of proof-search, and should therefore be checked be- 
fore starting search. This is the spirit of the type-checking proviso in the following soundness 
theorem. 

PS is sound and complete in the following sense: 



18 



S. LENGRAND, R. DYCKHOFF, AND J. MCKINNA 



Theorem 5.2. 

(1) (Soundness) Provided F h A:s, ifV hpg M '.A then T \- M -.A and Al is a quasi-normal 
form. 

(2) (Completeness) IfT\- M:A and M is a quasi-normal form, then we can derive T \-pg 
M:A. 

Proof. Both proofs are done by induction on typing derivations, with similar statements 
for hst typing. For Soundness, the type-checking proviso is verified every time we need the 
induction hypothesis. For Completeness, the following lemma is required (and also proved 
inductively): given Ai — >* A', B< — >* B' and Ci — >* C , if F hps M: A then F hps M : A' , 
and if F;S hps /:C then F;B' hps /:C". □ 

Note that neither part of the theorem relies on the unsolved problem of expansion 
postponement |vBJMP94l IPol98| . Indeed, as indicated above PS does not check types. 
When recovering a full derivation tree from a PS one by the soundness theorem, expansions 
and cuts might be introduced at any point, arising from the derivation of the type-checking 
proviso. 

Basic proof-search can be done in PS simply by 

• reducing the goal, or the type in the stoup; 

• depending on its shape, trying to apply one of the inference rules bottom-up; and 

• recursively calling the process on the new goals (called sub-goals) corresponding to each 
premiss. 

However, some degree of non-determinism is to be expected in proof-search. Such non- 
determinism is already present in natural deduction, but the sequent calculus version con- 
veniently identifies where it occurs exactly. 

There are three potential sources of such non-determinism: 

• The choice of a variable x for applying rule Select^, knowing only F and B (this cor- 
responds in natural deduction to the choice of the head- variable of the proof-term). Not 
every variable of the environment will work, since the type in the stoup will eventually 
have to be unified with the goal, so we still need backtracking. 

• When the goal reduces to a Fl-type, there is an overlap between rules FIR and Select^;; 
similarly, when the type in the stoup reduces to a H-type, there is an overlap between rules 
HL and axiom. Both overlaps disappear when Select^ is restricted to the case when the 
goal does not reduce to a Fl-type (and sequents with stoups never have a goal reducing to 
a H-type). This corresponds to looking only for r/-long normal forms in natural deduction. 
This restriction also brings the derivations in LJT (and in our PTSC) closer to the notion 
of uniform proofs. Further work includes the addition of r] to the notion of conversion in 
PTSC. 

• When the goal reduces to a sort s, three rules can be applied (in contrast to the first two 
points, this source of non-determinism does not already appear in the propositional case). 

Such classification is often called "don't care" non-determinism in the case of the choice 
to apply an invertible rule and "don't know" non-determinism when the choice identifies a 
potential backtracking point. 

Don't know non-determinism can be in fact quite constrained by the need to eventually 
unify the stoup with the goal, as an example in Section [7] below illustrates. Indeed, the 
dependency created by a H-type forces the searches for proofs of the two premisses of rule 
HL to be sequentialised in a way that might prove inefficient: the proof-term produced for 
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the first premiss, selected among others at random, might well lead to the failure to solve 
the second premiss, leading to endless backtracking. 

Hence, there is much to be gained by postponing the search for a proof of the first 
premiss and trying to solve the second with incomplete inputs. This might not terminate 
with success or failure but will send back constraints that may be useful in helping to 
solve the first premiss with the correct proof-term. "Helping" could just be giving some 
information to orient and speed-up the search for the right proof-term, but it could well 
define it completely (saving numerous attempts with proof-terms that will lead to failure). 
Unsurprisingly, these constraints are produced by the axiom rule as unification constraints. 

In Coq fCoq|, the proof-search tactic apply x can be decomposed into the bottom- 
up application of Selecta; followed by a series of bottom-up applications of HL and finally 
axiom, but it either postpones the solution of sub-goals or automatically solves them from 
the unification attempt, often avoiding obvious back-tracking. 

In the next section we use the framework with met a- variables we have introduced to 
capture this behaviour in an extended sequent calculus. 

6. Using meta- variables for proof-search 

We now use the meta-variables in PTSCa to delay the solution of sub-goals created 
by the application of rules such as HL. In this way, the extension from PTSC to PTSCa 
supports not only an account of tactics such as apply x of Coq, but also the specification 
of algorithms for type inhabitant enumeration and unification. It provides the search-trees 
that such algorithms have to explore. Our approach has two main novelties in compar- 
ison with similar approaches (in the setting of natural deduction) by Dowek |Dow93j and 
Muhoz |Muh01| . 

The first main novelty is that the search-tree is made of the inference rules of sequent 
calculus and its exploration is merely the root-first construction of a derivation tree; this 
greatly simplifies the understanding and the description of what such algorithms do. 

The second main novelty is the avoidance of the complex phenomenon known as r- 
splitting that features in traditional inhabitation and unification algorithms (e.g. |Dow93| ). 
In natural deduction, lists of arguments are not first-class objects; hence, when choosing a 
head variable in the construction of a A-term, one also has to anticipate how many arguments 
it will be applied to (with polymorphism, there could be infinitely many choices). This 
anticipation can require a complex analysis of the sorting relations during a single search 
step and result in an infinitely branching search-tree whose exploration requires interleaving 
techniques. This is avoided by the use of meta-variables for lists of unknown length, which 
allows the choice of a head variable without commitment to the number of its arguments. 

In contrast to Section HI where we confined our attention to the ground terms of PTSCa 
and their relation to the corresponding PTS, here we consider the full language of open 
terms, representing incomplete proofs and partially solved goals. Correspondingly, (open) 
environments are now lists of pairs, denoted (x : A), where x is a variable and ^ is a 
(possibly open) term (while ground environments only feature ground terms). Ground terms 
and environments are the eventual targets of successful proof-search, with all meta-variables 
instantiated. We further consider a new environment S that contains the sub-goals that 
remain to be proved: 
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Definition 6.1 (Goal environment, constraint, solved constraint, substitution). 

• A goal environment S is a list of: 

— Triples of the form T \- a : A, declaring the meta- variable a and called (term-) goals, 
where A is an open term and T is an open environment. 

— 4-tuples of the form T;B\- j3:A, declaring the meta- variable j3 and called (list-)goals, 

where A and B are open terms and T is an open environment, 
p 

— Triples of the form A = B, called constraints, where F is an open environment and A 

and B are open terms. 

Goals of a goal environment are required to declare distinct meta- variables. 

p 

• A constraint is solved if it is of the form A = B where A and B are ground and Ai — >* B. 

• A goal environment is solved if it contains no term or list goals and consists only of solved 
constraints. 

• A substitution is a finite function a that maps a meta- variable for term (resp. list), of 
arity n, to a closed higher-order term (resp. list) of arity n, that is to say, a term (resp. 
list) under a series of n bindings that capture (at least) its free variables (e.g. x.y.M with 
Fy{M)C{x,y})E 

Such a series of bindings can be provided by a typing environment T, e.g. Doin(r).M 
(which is a useful notation when e.g. F h M:A). 

As usual, substitutions a are built up from individual bindings of the form (a i-^ 
xi . . . Xn-M) by concatenation a, a' , where bindings in a' override those in a. 

• The application of a substitution to terms and lists is defined by induction on these. Only 
the base cases are interesting: 

If a{a) = xi . . . Xn-M, then a{a{Ni, . . . , Nn)) is the x'-normal forrrH of 

{a{Ni)/xi)...{a{Nn)/xn)M 

(with the usual capture-avoiding conditions). 

Similarly, if 0"(/3) = xi . . . Xn-l, then a{f3{Ni, . . . , Nn)) is the x'-normal form of 

{a{Ni)/x^)...{a{Nn)/xn)l 

The application of a substitution to an environment is the straightforward extension of 
the above. 

For instance on the example of Section II. H for an actual term M with 
FV(M) = {x,y} and a{a) = x.y.M, we have that a{a{N, P)) is the x'-normal form of 
{a{N)/x){a{P)/y)M. 

The reason why we x'-normalise the instantiation of met a- variables is that if M is 
already x'-normal then (a i— )• xi . . . Xn.M)(a{yi [],..., y„ [])) really is a renaming of M (and 
also an x'-normal form). This ensures that only normal forms are output by our system for 
proof-search, which we can more easily relate to PS. 

We now introduce this system, called PE for Proof Enumeration, which can be seen as 
an extension of PS to open terms. 

Definition 6.2 (An inference system PE for proof enumeration). 

The inference rules for system PE, in Fig. [101 manipulate three kinds of statement: 

• The first two are of the form F h M:A \ S and T; B \- l:C \ S. 



This uses a standard notation that can be found in e.g. [Ter03| . Ch. 11. 
'Which exists because x' is convergent even on untyped terms, by Corollarv 11.31 
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r — Xi'. Ai , . . . , Xn '• 

Claim « 

r; D hpE [],..., a;„ []): C | (F; £> h ^ : C) 



r;£)|-pE []:C|£> = C 



axiom 



£>^*Bxna;^.B ri-pEM:A|Si T; (M/a;)B hpg /:C | E2 
r;£) hpE M-Z:C | Si,E2 



r — X\'. A\ , . . . , • An 

Claims 

rhpE a{xi [],..., x„ []):C\ {T\- a:C) 

C >*BxS {s',s)&A 

sorted 

rf-pE s':C I 

C — >*By.s (sl,S2,s)G7^ ri-pE^:si|Si r,a;:A hpE -B:S2 I S2 
rhpE Ux^.B-.C I Si,E2 

{x:A)&T r;AI-pE Z:C| E' 



nwf 



Selects; 



rhpp xZiC I E' 

■uc M:B I E' 

HR 



PE 

C — ^*Bxna;'^.B V,x:A\-p^M:B\Y.' 



r hpp Aa;^.M:C I E' 



T;B\-p^l:C\ E" E,E",(/3 Dom(r).0(E') ^re a^,a^",a^, 

Solves 

E,(r;B I- /3:C),E' ^pe (Te,(/3 ^ Dom{T).{a^,a^»)(l)),a^> 

rhpE M:^ I E" E,E",(a H- Dom(r).M)(E') ^pe cte.cts'^cte' 

Solveo 

E,(ri- a:A),E' ^pe CTE,(a h- Dom(r).(<TE,(TE")W),o-E' 

E is solved 

Solved 



>PE 







Figure 10: Proof-term enumeration hp^ 

• The third kind of statement is of the form E =^ cr, where 

— S is a goal environment; 

— 0" is a substitution as defined above. 

In the bottom part of the figure we use the notational convention that a substitut' 
denoted crs has the meta-variables of the goal environment S as its domain. 
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Derivability in PE of the three kinds of statement is denoted respectively by F hp^ M: 
A I S, r;5 hpE / :C I S and S a. 

The statements T h M : A | S and T;B\- l:C\ S have the same intuitive meaning as 
the corresponding statements in system PS, but note the extra goal environment S, which 
represents the list of sub-goals and constraints that have been produced by proof-search and 
that remain to be solved. Thus, the inputs of proof enumeration are V and A (and F, B 
and C for the second kind of statement) and the outputs are a term M (or list /) and goal 
environment S. Statements of PS are in fact particular cases of these statements with S 
being always solved. 

In contrast, in a statement of the form S a, S is the list of goals to solve, together 
with the constraints that the solutions must satisfy. It is the input of proof enumeration 
and a is meant to be its solution, i.e. the output. 

Now we prove that PE is sound. For that we need the following notion: 

Definition 6.3 (Solution). We define the property a is a solution of a goal environment S, 
by induction on the length of S. 

• fj is a solution of 0. 

• If 0" is a solution of S and 

xi:a{Ai), . . . ,Xn:cF{An) hps {(j{a)){xi [],..., x„ W):a{C) 

then o" is a solution of S, (xi : Ai, . . . , x„ : An \~ a : C). 

• If (T is a solution of S and 

xi:a{Ai), . . . ,Xn:<j{Arr);a{D) hps (ct(/3))(xi [],..., x„ []):a{C) 

then fj is a solution of S, (xi : Ai, . . . , x„ : An] D \- f3: C). 

• If 0" is a solution of S and 

a{D)^* a{C) 

then o" is a solution of S, D = C . 
For soundness we also need the following lemma: 

Lemma 6.4. Suppose that a{M) and a{l) are ground. 

(1) IfM — >Bx' N thena{M) — >*Bx(y{N). 

(2) Ifl^Bx' I' thena{l)^*B^a{l'). 

Proof. By simultaneous induction on the derivation of the reduction step, checking all rules 
for the base case of root reduction. □ 

Theorem 6.5 (Soundness). Suppose a is a solution ofT,. 

(1) IfT\-pEM:A\T, then cr(F) hps a{M):a{A). 

(2) // F; 5 l-p5 / : C7 I S then a{T);a{B) hps a{l):a{C). 

Proof. By induction on derivations. □ 
Corollary 6.6. //S =^pBcr then a is a solution ofT,. 

Proof. By induction on the derivation, using Theorem 16.51 □ 
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System PE is complete in the following sense: 
Theorem 6.7 (Completeness). 

(1) IfVhpsM-.A then T hp^ M:A\^ for some solved S. 

(2) // T; B hps / : C then F; i? |-p£ / : C [ S for some solved S. 

Proof. By induction on derivations. The rules of PE generalise those of PS. □ 

In fact, completeness of the full system PE is not surprising, since it is quite general. In 
particular, nothing is said about when the process should decide to abandon the current 
goal and start working on another one. Hence we should be interested in completeness of 
particular strategies dealing with that question. For instance: 

• We can view the system PS as supporting the strategy of eagerly solving sub-goals as 
soon as they are created, never delaying them with the sub-goal environment. 

• The algorithm for proof enumeration in |Dow93| would correspond here to the "lazy" 
strategy that always abandons the sub-goal generated by rule IILpg, but this in fact 
enables unification constraints to guide the solution of this sub-goal later, so in that case 
laziness is probably more efficient than eagerness. This is probably what should be chosen 
for automated theorem proving. 

• Mixtures of the two strategies can also be considered and could be the basis of interactive 
theorem proving. Indeed in some cases the user's input might be more efficient than the 
automated algorithm, and rule IILps would be a good place to ask whether the user has 
any clue to solve the sub-goal (since it could help solving the rest of the unification). If 
he or she has none, then by default the algorithm might abandon the sub-goal and leave 
it for later. 

In Coq, the tactic apply x does something similar: it tries to automatically solve the 
sub-goals that interfere with the unification constraint (leaving the other ones for later, 
visible to the user), but, if unification fails, it is always possible for the user to use the 
tactic and give explicitly the proof-term to make it work. However, such an input is not 
provided in proof synthesis mode in Coq and the user really has to give it fully, since the 
tactic will fail if unification fails. In PE, the unification constraint can remain partially 
solved. 

All these behaviours can be simulated in PE, which is therefore a useful framework for 
the study of proof-search strategies in type theory and for comparison with the work of 
Jojgov |G,T02] . McBride |McBnO| and Delahaye |Deinij . 

7. Example: commutativity of conjunction 

We now give an example of proof-search (first introduced in [LDM06) without using 
meta-variables) in the PTSC equivalent to System F, i.e. the one given by the sets: 

S = {★,□}, A = {(★,□)}, and n = {(*,*),(□,★)} 

For brevity, we omit types on A-abstractions, abbreviate a; [] as x for any variable x 
and simplify {N/x)P to P when x ^ F\I{P). We also write A /\ B m. place of its System F 
representation as HQ* .{A^{B^Q))^Q. 
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Proof-search in system PS would result in the following derivation: 



axiom 



TTB rhpsAT^:^ r;Qhps []:Q^|^ 



T hps Nb:B r;A^Q hps TVa D :Q 

r- B^{A^Q) hps Nb-Na-[]:Q ^ , ^ 

SelecL 

rhpsyArB-iV^-[]:Q 

A : B : ★ hps Xx.XQ.Xy.y Nb-Na-[] : A A A) 

where T = A : -k, B : -k, x : A A B , Q : -k, y : B^{A^Q), and tt^ is the following derivation 
{Na = x A-{Xx'.Xy'.x')-W): 

axiom 



r,x': Ay : i?;^Hps []:^^ , ^ 

Select 



r,x': A,y' : B hps x':y4 

axiom ^^^^^^^^^^^^^^= IIR axiom 



r;*hps[]:*^, , rhps A,x'.Ay'.x':A^(S^^) T; ^ hps [] i^l ^, 
SelecU nL 

rhps A:* T;{A^{B^A))^A hps (Xx' .Xy' .x')-[]:A 

r;AABhpsA-{Xx'.Xy'.x')-[]:A^ , 
S© ©ct 

r hps X .4-(Ax .Ay .x')-D:^ 

Similarly, ttb has a derivation [Nb = x B-{Xx' .Xy' .y')-W) with an analogous conclusion 

rhpsx5.(Ax'.A2/'V)-[]:5- 

We now reconsider the above example in the light of system PE. It illustrates the need 

for delaying the search for a proof of the first premiss of rule IIL. Let 

r = A : -k,B : i^,x : A A B,Q :~k,y : B^A-^Q 

aA(r) = aA{A,B,x,Q,y) 

aB{T) = aBiA,B,x,Q,y) 

M' = Xx.XQ.Xy.y aB(r)-aA(r)-[] 

S =iT\- aB:B),{r\- aA:A),{Q^Q) 

We get the PE-derivation below: 



Th aAir):A\{Th aA-.A) T; Q h []:Q\{Q = Q) 



Th aBir):B \ (T h ob:B) T-A-^Qh aA{T)-[]:Q \ {V h aA:A),{Q = Q) 



T:B^A-^Q h aB{T)-aA{T)-[]:Q \ S 
rh yaB{V)-aA{T)-[]:Q\^ 



A:i.,B -.-kh M':{AAB)^{B AA)\Y. S as 

{A:-k,B -.-kh a:{AAB)->{BAA)) =^ {a ^ a^(M')) 

where aj^ = (a^ Dom{T).NB,aA i-^ Dom(r).iV^) is the solution to be obtained from the 
right premiss. 
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In the above derivation, we have systematically abandoned the sub-goals and recorded 
them for later. The only choice we made was that of the head-variable y, because it led to 

the production of the (solved) unification constraint {Q = Q). 

We now continue the proof-search with the right premiss, solving the two sub-goals 
{T \- as '■ B) and (F h ■ A) that have been delayed. For instance, we can now decide 
to solve (F I- aA- A), which will eventually produce the binding aA Dom(F).Ar4 with 
Na = X A-{Xx'y' .x')-W, as follows: 



F'h a;(F'):ai(F) | ^[ 
F h Xx'y'.a[{r'):A^B^ai{r) \ S; F; qi(F) h [] : A | S' 
Fh ai(F):*| Si F; (A^B^qi(F))^qi(F) h {Xx'y' .a[{r' ))■[]: A \ S;,!]'/ 
T;AAB\- ai{T)-{Xx'y'.a[{T'))-[]:A\J:i,J:[,'¥l 

r \- X ai{r)-{Xx'y' .a[{r'))-[]:A \ D 
S ^ (as Dom{T).NB,aA ^ Dom{r).x A-{Xx'y' .x')-[]) 

where 

ai(F) =ai{A,B,x,Q,y) 
El =(FI-ai:*) 
F' =T,x':A,y':B 
a[(T) =a[{A,B,x,Q,y,x',y') 
E'l = {V \- a[:ai{r)) 

T.'i ={a,{Y)'=A) 

a =iaB>-^ Dom(F).iVB, ai i-^- Dom(F).A, a[ ^ Dom(F').x') 
and D is a sub-derivation whose conclusion is as follows: 



(Fh aB:S),Si,S;,S'/,(Q = Q)^a 

In the above derivation, we have also abandoned the generated sub-goals. Again we 

made one committing choice: that of the head- variable x, which led to the unification 
p 

constraint ai(F) = A. Any other choice of head- variable would have led to a unification 
constraint with no solution. Here, this fact (and the subsequent choice of x) can be mech- 
anically noticed by a simple syntactic check. 

We now continue the proof-search with the right premiss. We can decide to solve 
(F h aB -B), (F h ai ::*r), or (F' h a'^ ■.ai(T)). The order in which we solve (F h aB -B) has 
little importance (the structure is similar to that of the derivation above), but clearly we 
cannot solve (F' h a'^ : ai(F)) before we know ai(F). Hence, we need to solve (F h ai :*) 
first, which will produce ai i-> Dom(F).74: 



F;* I- []:* I * £ ★ 

Fh A[]:vt|* = vt {r\- aB:B),{* = *),{r'\- a[:A),{A = A),{Q = Q)=^a' 
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where a' = {as Dom(r).iVB, a'l ^ Dom(r').x'). 

In this derivation we had to inhabit This is a fundamental step of the proof, even when 
expressed with ground terms (in system PS) as above. Here, having delayed the solution 
of sub-goals, we are now able to infer the correct inhabitation, directly from the unification 

constraint (ai(r) = A) which we have generated previously. Our delaying mechanism thus 
avoids many situations in which the correct choice for inhabiting a type has to be guessed 
in advance, anticipating the implicit constraints that such a choice will have to satisfy at 
some point. This is hardly mechanisable and thus leads to numerous backtrackings. 
Finally we proceed to the right premiss by solving (V h a'l : A) : 



T';A\- []:A\A = A 

T' \- x' []:A\A = A (F h : S), (* = {A = A), {A = A), {Q ^ Q) ^ (^^(r) ^ Nb) 
{r\- aB:B),{ir = *),{r'\- a[:A),{A = A),{Q^Q)=><j' 

In this derivation we had to inhabit A. Again we made one committing choice: that of 

r' 

the head-variable x', which led to the unification constraint A = A. Again, any other choice 
of head- variable would have led to obvious failure, a fact which can be mechanically noticed 
by a simple syntactic check. 

We can then proceed with (F h : -B), in a way very similar to that for (F h a a ■ A). 
We get eventually A''^ = x B-{Xx'y' .y')-[]. 

Putting it all together, we have used system PE to produce the following proof of the 
commutativity of conjunction: 

A : B : * h XxQy.y [x B-{Xx'y'.y') ■[])-{x A-{Xx'y'.x') ■[])■[]: {A A B)^{B A A) 

The system has mechanically inferred the relevant choices of the head- variables structuring 
the proof-term, by finite checks and using the unification constraints generated by delaying 
the solution of sub-goals. 

Conclusion and Further Work 

In this paper we have developed a framework that serves as a good theoretical basis for 
proof-search in type theory. 

Proof-search tactics in natural deduction depart from the simple bottom-up application 
of the typing rules; thus their readability and usage become more complex, as illustrated 
in proof-assistants such as Coq. Just as in propositional logic [ DP99a| . permutation-free 
sequent calculi can be a useful theoretical approach to study and design such tactics, in the 
hope of improving semi-automated reasoning. 

Following these ideas, we have defined a parameterised formalism giving a sequent cal- 
culus for each PTS. It comprises a syntax, a rewrite system and typing rules. In contrast to 
previous work, the syntax of both types and proof-terms of PTSCa is in sequent calculus 
style, thus avoiding implicit or explicit conversions to natural deduction |GR03c|IPD98| . We 
have given a direct proof, by simulation, of confluence for each PTSCa. 

We have established a strong correspondence with natural deduction (regarding both 
logic and strong normalisation), when restricted to the ground terms PTSC of a given 
PTSCa. These results and their proofs were formalised in Coq |Sil09) . We can give as 
examples the corners of Barendregt's A-cube, for which we now have an elegant theoretical 
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framework for proof-search: We have shown how to deal with conversion rules so that basic 
proof-search tactics are simply the root-first application of the typing rules. 

These ideas have then been extended, in the calculi PTSCa, by the use of meta- variables 
to formalise the notion of incomplete proofs, and their theory has been studied. The ap- 
proach differs from |Mufi01| both in that we use sequent calculus rules, which match proof- 
search tactics, and in that our system simulates /3-reduction. 

We have shown that, in particular, the explicit use of meta- variables avoids the phe- 
nomenon of r-splitting and allows for more flexibility in proof-search, where sub-goals can 
be tackled in the order that is most suitable for each situation. Such a flexibility avoids 
some of the need for "guess-work" in proof-search, and formalises some mechanisms of proof- 
search tactics in proof assistants. This approach has been illustrated by the example of 
commutativity of conjunction. 

Our system does not commit to specific search strategies a priori, so that it can be used 
as a general framework to investigate such strategies, as discussed at the end of Section |6l 
This could reflect various degrees of user interaction in proof-search. 

Ongoing work includes the incorporation of some of these ideas into the redesign of the 
Coq proof engine |Coq| . It also includes the treatment of //-conversion, a feature that is 
currently lacking in the PTS-based system Coq. We expect that, by adding rj- expansion to 
our system, our approach to proof-search can be related to that of uniform proofs in logic 
programming. 

Further work includes studying direct proofs of strong normalisation (such as Kikuchi's 
for propositional logic [Kik04j ). and dealing with inductive types such as those used in Coq. 
Their speciflc proof-search tactics should also clearly appear in sequent calculus. Finally, 
given the importance of sequent calculi for classical logic, it would be interesting to build 
classical Pure Type Sequent Calculi. 
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Subject Reduction 

Definition 1. We write T \-* M:A (resp. F; B h* l:C) whenever we can derive Fh M:A 
(resp. F;B\- l:C) and the last rule is not a conversion rule. 

The following Lemma is easily derived by induction on the typing tree: 

Lemma 2 (Generation Lemma). 

(1) (a) IfF \-pjQQ s:C then there is s' such that F h* s:s' with C< — >* s' . 

(b) IfF \-p-j-gQFlx^.B -.C then there is s such that F h* Flx^.B:s with C< — >* s. 

(c) IfFhpTscXx^.M-.C then 

there is B such that Ci — >* Ux^.B and F h* Xx'^.MiUx^.B. 

(d) IfF \-pjsc {M/x)N:C then there is C such that F h* {M/x)N:C' with Ci — >* C . 

(e) // M is not of the above forms and F ^pjsc ^ '■ ^> ^^c'^ L h* M :C. 

(2) (a) IfF;B hpjsc []-C then B< — >* C. 

(b) IfF;D \-pjQcM-l:C then 

there are A,B such that Di — >* Ux^.B and F;Ux^.B h* M-l:C. 

(c) IfF;B \-pjsc{M/x)l:C then are B',C' such that 
F;B' K {M/x)l:C' with C and Bi — >* B' . 

(d) // / is not of the above forms and F; D ^pjsc ^ '■ C then F; Z) h* l:C . 

Proof. Straightforward induction on the typing tree. □ 
Remark 3. The following rule is derivable, using a conversion rule: 

FhpTscQ:^ F,(x:^),AhpTscM:C A^pTsc : ^ F, (Q/x)A □ 

A' HpTsc {Q/x)M:{Q/x)C 

Proving subject reduction relies on the following properties of — >qx '■ 
Lemma 4. 

• Two distinct sorts are not convertible. 

• A Fl-construct is not convertible to a sort. 

• nx'^.Bi — >* Flx^.E if and only if Ai — >* D and Bi — >* E. 

• Ify^ FV{P), then Pi — >* {N/y)P. 

• {M/y){N/x)Pi — >* {{M/y)N/x){M/y)P (provided x ^ FV{M)). 

Proof. The first three properties are a consequence of the confluence of the rewrite system 
(Corollary 12. 9p . The last two rely on the fact that the system XSUbSt is terminating, so that 
only the case when P is an XSUbSt-normal form remains to be checked, which is done by 
structural induction. □ 

Using all of the results above, subject reduction can be proved: 

Theorem 5 (Subject reduction in a PTSC). 

(1) IfF \-ptsqM:X and M — >bx M' , then F \-pjqqM':X 

(2) // F; Y hpT-sc I -.Z and I -^bx I', then F; Y ^pjsc I' ■ Z 

Proof. By simultaneous induction on the typing tree. For every rule, if the reduction takes 
place within a sub-term that is typed by one of the premisses of the rule (e.g. the conversion 
rules), then we can apply the induction hypothesis on that premiss. In particular, this takes 
care of the cases where the last typing rule is a conversion rule. 
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So it now suffices to look at the root reductions. For lack of space we often do not 
display some minor premisses in following derivations, but we mention them before or after. 
We also drop the subscript PTSC from derivable statements. 
B (Ax^.iV) (P-h) {{P/x)N) h 

By the Generation Lemma, l.(c) and 2.(b), there exist 5, D, E such that: 

ri-nx^.5:s T,x:A\-N:B T\-P:D T; {P/x)E \- h: X 

r\-Xx^.N:C r;C\-P-h:X 

r h* (Xx'^.N) {P-h):X 

with lix"^. Bi — >* Ci — >* lix^.E. Therefore, Ai — >* D and Bi — >* E. Moreover, 
r h A:sA, T,x : A\- B:sb and V wf. Hence, we obtain T h {P/x)B:sb, so: 
r h P:D 



r\-P:A r,x:A\-N:B T; {P/x)E \- h:X 
r h {P/x)N : {P/x)B T; {P/x)B \- h'.X 

rh i{P/x)N h):X 

with {P/x)B< — {P/x)E. 
As A1 {N-h)@l2 — > N-{h@l2) 

By the Generation Lemma 2.(b), there are A and B such that Yi — >* Hx^.B and: 

Thnx'^.B-.s T\-N:A T; {N/x)B h h:C 

T;Y i- N-h:C T;C\-l2:Z 

T-Y\-* {N-li)@l2:Z 

Hence, 

T;{N/x)B \- h-.C T;C\-l2:Z 
ThUx'^.B-.s T\-N:A T; {N/x)B \- li@l2: Z 

T\-Y:sY T;Ux'^.B \- N-{h@l2):Z 

r;Yh N-{li@l2):Z 

A2 []@li h 

By the Generation Lemma 2. (a), we have Ai — >* Y and 

r-Y\- []:A r;A\- h:Z 

T-Y\-* wmh-.z 

Since F h F:sy, we obtain 

V;A\- h:Z 
V-Y\- h:Z 

A3 (Zl@/2)@/3 — > h@{l2@k) 

By the Generation Lemma 2.(d), 

T;Y\-li:B T;B\-l2:A 



F;y h* /i@/2:^ r;A\-h:Z 
F;y K {h@l2)@l3-Z 
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Hence, 

T;B\-l2:A T;A\-k:Z 
r;Y\-li:B T; B \- l2@k: Z 

T;Y\- li@{l2@l3):Z 

Bs B1 N W — > N 

r h N:A T;A\- []:X 
r K []:X 

By the Generation Lemma 2. (a), we have Ai — >* X. 
Since F h we obtain 

r h N:A 



r h N:X 

By the Generation Lemma l.(e), 

T;A\- h-.B {x: A) er 

Th^xl-.B r;B\-l2:X 

r h* (x /i) h-.x 

Hence, 

r;y4l-Zi:S r;SI-Z2:^ 
(x:A)Gr r;A\- h@l2:X 

r\- X {iim2):X 

B3 (iV /i) /2 — > (^i@/2) 

By the Generation Lemma l.(e), 

rhA^:^ T;A\-li:B 

r\-*Nli:B T;B\-l2:X 

rK {N h) h-.x 

Hence, 

r;A\- h:B T:B\-l2:X 

r\-N:A T;A\- IM-.X 

r\- N {h@l2):X 
Cs We have a redex of the form {Q/y)R typed by: 

A'\-Q:E A',y: E,A\- R:X' A', (Q/y)A C T wf 

rK {Q/y)R:X 

with either X = X' £ S or X = {Q/y)X' . 

In the latter case, T h X -.sx for some sx € <S. We also have F wf . 
Let us consider each rule: 
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CI {Q/y)\x'^.N ^ \x^Q/y)^.{Q/y)N 
R = Xx^.N 

By the Generation Lemma l.(b), there is S3 such that C< — >* S3 and: 

A',y : £;,A h yl:si A', y : A, x : A h S :s2 

A',y : E,^\- Hx^.B.C A',y : E,A,x .Ah N:B 

A',y:E,A\- Xx^.NiX' 

with (si,S2,S3) € TZ and X' = Hx^.B. Therefore, X' ^ S, and as a consequence 
X = {Q/y)X'i — >* {Q/y)Ux'^.B^* Yix^^/y^'^ .{Q /y)B . We have: 

A'\-Q:E A\y : E,A\- A:si 

rh {Q/y)A:si 

Hence, T,x : {Q/y)A wf and A', {Q/y)A,x : {Q/y)A QT,x: {Q/y)A, so: 
A'\-Q:E A',y : E,A,x : A\- B:s2 
r,x:{Q/y)A\- {Q/y)B:s2 
so that r h nx<'3/f>^.(Q/y)S:s3 and 
A'\-Q:E A',y : E,A,x : Ah N:B 

T,x:{Q/y)A\- {Q/y)N : {Q/y)B 
r I- Xx^^/y^^.{Q/y)N:Ux^^/y'^^.{Q/y)B X^* Ux^^'y^^ .{Q /y)B 
rh Xx^^/y'^'^.{Q/y)N:X 
C2 {Q/y){yl,)^ Q{Q/y)li 

R = yh 

By the Generation Lemma l.(e), A',y : E,A;E\-li: X'. Now notice that y ^ 
FV{E), so {Q/y)E^* E and A' h E:se- Also, A' C T, so 

A'\-Q:E A',y : E,A;E h h-.X' A' h E:se 

A'\- Q:E r;{Q/y)Eh {Q/y)h:X ' T h 'e:se 

' r i-' Q: 'e r-E\- {Q/y)h:X 

T\- Q {Q/y)h:X 

C3 {Q/y){x h) X {Q/y)h 
R = X li 

By the Generation Lemma L(e), A',y : E,A;A\- hiX' with {x : A) e A', A. Let 
B be the type of x in F. We have 

A'\-Q:E A',y : E,A;A\- h:X' 

T;{Q/y)A\- {Q/y)li:X FhB-.SB 
T-B\- {Q/y)h:X 
Vhx {Q/y)h:X 

Indeed, if x G Dom(A) then Bi — >* {Q/y)A, otherwise Bi — >* A with y ^ FV{A), 
so in each case Bi — >* {Q/y)A. Besides, T wf so F h B:sb- 
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C4 {Q/y){N h) {Q/y)N {Q/y)h 
R = Nli 

By the Generation Lemma l.(e), 

A',y: E,A\- N:A A' ,y: E, A; A\- h'.X' 
A',y ■.E,A\-*N h:X' 

Also, we have 

A'\-Q:E A',y : E,A\- A:sA 
rh {Q/y)A:sA 

Hence, 

A'\-Q:E A',y : E,A\- N:A A' \- Q:E A' ,y: E, A- A\- h:X' 

r h {Q/y)N:{Q/y)A " T; {Q/y)A h {Q/y)h:X 

T)- {Q/y)N {Q/y)h:X 

C5 {Q/y)Ux^.B Ux(^/y>^.{Q/y)B 
R = Ux^.B 

By the Generation Lemma l.(b), there exists S3 such that X'i — >* S3 and: 
A',y : E,A\- A:si A' ,y : E, A,x : A\- B ■.S2 
A',y:E,A\- Hx'^.B-.X' 

with {81,82,83) G TZ. 

A'\-Q:E A',y : E,A\- A:8i 
rh {Q/y)A:s, 

Hence, r,x : {Q/y)A wf and A', {Q/y)A,x : {Q/y)A Qr,x : {Q/y)A, so we obtain: 
A'\-Q:E A',y : E,A,x : A\- B:s2 
r,x:{Q/y)A\- {Q/y)B:82 
and hence that T h Hx<'5/?/>^.(Q/y)5 isg. 
Now if X' G 5, then X = X' = and we are done. 

Otherwise X = {Q/y)X'< — >■* {Q/y)83< — >* S3, and we conclude using a conversion 
rule (because T h X:8x)- 
C6 {Q/y)8 — > 8 and R = 8. By the Generation Lemma l.(a), we obtain X'< — >* s' 
for some s' with (s, s') G A. Since T wf, we obtain F h s : s'. If X' G <S, then 
X = X' = s' and we are done. Otherwise X = {Q/y)X'i — >* {Q/y)8'i — >* s' and 
we conclude using a conversion rule (because T h X:8x)- 
Ds We have a redex of the form {Q/y)li typed by: 

A'\-Q:E A',y:E,A;Y' \- h-.Z' A', (Q/y)A C L wf 
r;y|-* {Q/y)h:Z 

with Z = {Q/y)Z' and Y = {Q/y)Y'. We also have L wf, L h Y-.sy and T h Z:8z. 
Let us consider each rule: 
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D1 {Q/y)[] [] 

By the Generation Lemma 2. (a), Y'i — >* X' , so Yi — >* X. 

T\-Y:sY 

T^\-[]:Y T^X:sx 
D2 {Q/y){N.h)^ {{Q/y)N)-{{Q/y)h) 

h=N-l2 

By the Generation Lemma 2.(b), there are A, B such that 
Y'i — >* Hx^.B and: 

A',y : E,A h nx^.S:s A', y : A h AT: A A' ,y : E, A; {N/x)B \- h: Z' 

A',y: E,A;Ux^.B K hiZ' 
Prom A', y : E,A; {N/x)B h h'.Z' we obtain 

r;{Q/y){N/x)B\- {Q/y)h:Z 
From A',y : E,A\- N:Awe obtain T h {Q /y)N : {Q /y)A. 

From A',y : E,A\- Hx^.B : s part (b) of the Generation Lemma 1 allows us to 
conclude A',y : E,A\- A:sa and A',y : E,A,x:A h B:sb- Hence we obtain 

A',y:E,A\-A:sA 

TV- {Q/y)A:sA 
and thus r,x:{Q/y)A wf and then 

A',y: E,A,x:A h B:sb 
r,x:{Q/y)A\- {Q/y)B:sB 

From that we obtain both F h Ux^'^/y>^.{Q/y)B -.s and 

Fh {{Q/y)N/x){Q/y)B:sB. 

Note that Ux^^/y'^'^ .{Q/y)B^* {Q/y)Ux^.B^* {Q/y)Y' = Y. We obtain 

T;{Q/y){N/x)B\- {Q/y)h:Z 
Fh {Q/y)N:{Q/y)A T-{{Q/y)N /x){Q/y)B ^ {Q/y)l2:Z 
T-M'^ly'>^-{Q/y)B h {{Q/y)N).{{Q/y)h):Z 
T-Yh {{Q/y)N)-{{Q/y)h):Z 
D3 {Q/y){l2@k) {{Q/y)l2)@{{Q/y)k) 

h = l2@k 

By the Generation Lemma 2.(d), 

A',y:E,A;Y'\-l2:A A' ,y : E, A; A \- k: Z' 
A',y:E,A;Y' h* l2@k:Z' 

H6nc6 

F; y h (Q/j/)/2 : {Q/y)A F; (Q/j/) A h {Q/y)k : Z ^ 
F;y|- ((Q/2/)i2)@((g/y)i3):^ 
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